RSA and IBM's turning to big data analytics to improve security monitoring mark what some analysts say could be the wave of the future

Dark Reading Staff, Dark Reading

January 31, 2013

4 Min Read

IBM and EMC's RSA security division are placing a big bet on big data playing an important role in security.

With an eye toward using analytics to improve threat detection, both companies released products this week that industry watchers say may herald the coming of a new set of technologies for identifying and stopping security threats.

In the case of RSA, the company released the RSA Security Analytics solution, bringing together the company's security information event management (SIEM), network forensics, and big data analytics capabilities into a platform. IBM is following a similar path, fusing its QRadar SIEM technology with its Apache Hadoop-based InfoSphere BigInsights analytics platform.

"The volume of monitoring data makes it difficult to pursue detailed investigation without tools that can improve the performance of analysis," says Scott Crawford, managing research director for Enterprise Management Associates. "Platforms such as Hadoop can improve this performance through a distributed, parallel approach that leverages what is essentially a 'divide and conquer' strategy, such as MapReduce."

In addition, these big data environments can be more accepting of a wider variety of data, imposing fewer restrictions, such as rigid schema requirements, in order to ingest data, Crawford adds.

Paul Stamp, director of product marketing at RSA, says the goal for the company is to reduce the number of manual steps an analyst needs to take in order to identify a threat.

"So think of a host beaconing out to a C2 [command-and-control] site on a regularly scheduled basis," he tells Dark Reading. "If an analyst can isolate the suspect host, they can eyeball a graph to see that they’re reaching out to this host regularly. But with a big data approach, you can create a rule that computes and analyzes the interval between sessions and determines whether we’re talking about normal human activity, or machine-generated -- which is innocuous -- or scheduled activity like malware might do."

According to Crawford, the implementation of a common data warehouse architecture to manage both log data and network content found in RSA's platform is a departure from the siloed reality of having a SIEM solution for log data and an investigative platform like NetWitness for network content.

"The integrated capabilities will share access to a common data repository, which suggests further directions for both technologies," he says. "Historically, alerting technologies have been dependent on what is already known: One has to develop rules to correlate event data and raise alerts. Coupling this capability with an investigative platform ... gives investigators access to a wider range of data, including log and event information, which can deepen insight into suspicious activity. It may also allow investigations to yield results that can be employed more directly in monitoring systems to sharpen awareness when suspicious activity occurs."

IBM is looking to combine real-time correlation for custom analytics leveraging structured data, such as security device alerts and DNS transactions; unstructured data, like email and social media content; and forensic capabilities for evidence gathering. The company hopes fusing these capabilities will help organizations better address security challenges ranging from insider threats to sophisticated malware attacks.

"Leveraging assets from across IBM, we are on a relentless push to expand the scope of our security intelligence capabilities," said Brendan Hannigan, general manager of IBM’s Security Systems Division, in a statement. "Our goal is to provide clients with the most visibility into every bit of data, no matter where it resides across their network and help them learn from past activity to better secure the future."

Sophisticated attacks are testing the limitations of security analytics tools every day, something a big data approach could help fix, says Jon Oltsik, senior principal analyst for Enterprise Strategy Group.

"The big data phenomenon could help address this situation for security professionals, making it important for organizations to rethink their choice of security solutions," he said in a statement. "Marrying intelligence-driven security with big data analytics has the potential to help enterprises address the complex problem of advanced threats and thus meet a significant need in the marketplace.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:


About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights